Lenovo-IBM deal under US scrutiny over server use by Pentagon

Lenovo Group Ltd. must convince government officials that buying a server unit from International Business Machines Corp. won't give China back-door access to U.S. secrets and infrastructure.

The wrinkle is that the Pentagon, the FBI and the nation's biggest telecommunications companies buy the IBM servers, according to people familiar with the matter and an analysis by Bloomberg Industries.

Use of the servers by the government, telephone networks and other potentially sensitive customers will spark close scrutiny from the interagency group known as the Committee on Foreign Investment in the U.S., which investigates national- security risks of foreign acquisitions of domestic companies.

"It's kind of the perfect storm of issues," said Anne Salladin, a former Treasury Department official who worked on CFIUS reviews and is now at Stroock & Stroock & Lavan LLP in Washington. "Any foreign acquirer with this kind of asset purchase is very likely to be something that CFIUS would want to take a look at."

Beijing-based Lenovo, which announced the $2.3 billion IBM purchase Jan. 23, has formally sought approval for the deal from CFIUS, according to a person with knowledge of the matter. Acquisitions of U.S. businesses by Chinese buyers are rising, increasing tension in Washington over Chinese access to U.S. technology. CFIUS reviews can take as many as 75 days.

Briefing Officials

Lenovo, which bought IBM's personal computer business in 2005, has been briefing officials on the deal, pointing out that it won't have access to the servers because IBM will continue maintenance on the equipment, according to a person familiar with the matter. That agreement lasts for five years and could be extended, said the person.

The service agreement may help ease the security review by CFIUS, which examined more than double the number of transactions by Chinese investors in 2012 than it did the previous year, making them the most scrutinized foreign buyers of American assets ahead of the U.K., according to the committee's most recent report to Congress.

"The government is going to take a look at the degree of penetration of the servers, where they are, how old they are, what the reachback capability might be," Mario Mancuso, an attorney at Fried, Frank, Harris, Shriver & Jacobson LLP. "Could they use the servers as a means of insertion into U.S. government networks and data systems?"

Critical Infrastructure

U.S. officials will also examine any use of the servers in critical infrastructure, such as chemical plants and electric- utility companies, Michael Wessel, a member of the U.S.-China Economic and Security Review Commission.

"Exfiltration and infiltration are the issues," Wessel said. "Can they get access to servers in some way and take data out or can they infiltrate the system to put in trap doors, viruses, malware or be able to take down systems in a potential conflict situation?"

A Bloomberg Industries analysis of federal contract data shows government purchasers of IBM BladeCenter servers include the Pentagon, the FBI, and the Department of Homeland Security.

Chris Padilla, the company's vice president for governmental programs, told Bloomberg in January that IBM servers are used by the U.S. government, without identifying which agencies.

Air Force Lieutenant Colonel Damien Pickart, a spokesman for the Pentagon, acknowledged that the Lenovo-IBM transaction is pending before CFIUS and added that the Defense Department, which is a member of the committee, would be involved in the deliberations. He declined to comment further and referred questions to Treasury, which chairs the committee.

Holly Shulman, a CFIUS spokeswoman, declined to comment. Spokesmen for the FBI and the Department of Homeland Security didn't respond to requests seeking comment.

The servers are also embedded in telephone networks operated by AT&T Inc., Verizon Communications Inc. and Sprint Corp., according to three people familiar with the technology.

IBM spokeswoman Deirdre Murphy Ramsey declined to comment on the Armonk, New York-based company's clients. IBM is prepared for a "comprehensive review" by CFIUS and is "confident of a positive outcome," she said.

Malicious Hardware

Mark Siegel, an AT&T spokesman, Richard Young, a Verizon spokesman, and John Taylor, a Sprint spokesman, declined to comment.

Lawmakers and the Obama administration have tried to prevent China's Huawei Technologies Co. and ZTE Corp. from doing business in the U.S. A 2012 report by the House Intelligence Committee cited security threats posed by Chinese telecommunications companies and urged the government to block transactions by Huawei and ZTE. The companies provide "a wealth of opportunities" for Chinese intelligence agencies to insert malicious hardware or software into U.S. telecommunications networks, according to the report.

Then U.S. Commerce Secretary Gary Locke expressed "deep concerns" to Sprint in 2010 that Huawei might win a contract to upgrade the mobile-phone carrier's network.

"Anything now with China gets attention," said James Lewis, a senior fellow at the Center for Strategic and International Studies. "But Lenovo, because it's not a state- owned enterprise and because they've done deals successfully in the past, they're really well placed to get through."

x86 Processors

Lenovo would get IBM servers that use x86 processors, an industry-standard technology. The transaction includes BladeCenter and Flex System blade-style servers -- slim devices that slide into racks -- along with switches that run corporate computer networks. IBM will keep its System z mainframes, Power servers and other higher-end hardware.

Lenovo is working cooperatively with CFIUS to win clearance, spokesman Brion Tingler said in a statement. The company has had three previous acquisitions cleared by the committee, including the 2005 IBM deal.

While the companies say they expect to win clearance from CFIUS, Lenovo will probably have to agree to restrictions on the business, according to lawyers who advise companies on deals that require U.S. security review.

Protect Interests

Those agreements can include requirements that only U.S. citizens handle certain services, independent audits, guidelines for handling government contracts, and termination of certain business activities, according to CFIUS's most recent report to Congress.

"This is not just some Chinese company you've never heard of," said Stephen Paul Mahinka, a lawyer at Morgan, Lewis & Bockius LLP. "There are ways in which you can protect U.S. interests while at the same time not preventing the acquisition."

While servers can store large collections of sensitive data, the risks associated with them are about the same as that from laptops and smartphones, which consume the same data and have access to the servers, said Michael Belton, a security expert at cybersecurity company Rapid7. Once installed in a network, servers are also more heavily defended and monitored, he said.

"There isn't a large difference between a server and a laptop," Belton said. "Modern laptops can and do store as much sensitive data as a server."